It Risk Assesment Template

8/10/2019 It Risk Assesment Template

1/24


2/24


3/24


4/24

0

0

0

0

0

0

0


5/24

56R'ED R758 !55E5)E' )!'R79 orks"eet

AUDITOR: AUDIT: DATA CENTER

DATE:

THREATSRANK 1 2 +

RANK COMPONENTS

1

2 :!RD!RE :7;:E5' R758 /

56F'!RE 7n t"e let


6/24

!>D7'?

RISK IDENTIFICATION

F7RE 7'R>DER5 :!C8ER5% 3 @ 10 11

in Cells C%..%*.

i$"est nu&ber*

nd ne4t


7/24


8/24

R/sks So0r1e 2 C30se E44e1ts

I5te6r/t Data corruption

De4/5/t/o5:

Re8e9351e o eecti-e co&&unication

Data corruption, Errors,6&issions

'"is risk enco&passes all o t"e risksassociated #it" t"e aut"oriation,co&pleteness, and accuracy otransactions as t"ey are entered into,processed by, su&&aried by andreported on by t"e -ariousapplication syste&s deployed by anor$aniation. '"ese risks per-asi-elyapply to eac" and e-ery aspect o anapplication syste& used to support abusiness process

7nte$rity can be lost ro&?pro$ra&&in$ errors,processin$

(&aintenance*errors,

&ana$e&enterrors

ot $ettin$ t"e ri$"tdatainor&ation to t"e ri$"t?/person/processsyste& at t"e ri$"tti&e to allo# t"e ri$"t actionto be taken

De4/5/t/o5: t"e usability andti&eliness o inor&ation t"at is eit"ercreated or su&&aried by anapplication syste&.is t"e riskassociated #it" not $ettin$ t"e ri$"tdatainor&ation to t"e ri$"tpersonprocesssyste& at t"e ri$"tti&e to allo# t"e ri$"t action to betaken.


9/24

A11ess

De4/5/t/o5:

A93/83b/8/t

7nappropriate security accessset


10/24

I54r3str01t0re

De4/5/t/o5:

Lack or #eak or$aniationplannin$

Disor$anied anddisunctional 7' decisions.Lack o proacti-e securitypolicies and procedures orinconsistent one a&on$ 75and di-isions.

t"e or$aniation does not "a-e aneecti-e inor&ation tec"nolo$yinrastructure ("ard#are, net#orks,sot#are, people and processes* toeecti-ely support t"e current anduture needs o t"e business in aneicient, cost


11/24


12/24

Do3/5 Po8/1/es

>ser 7nterace Proper se$re$ation o duties

Processin$

7nterace

Data

'"e ade=uacy o pre-enti-e andor detecti-econtrols t"at ensure t"at only -alid data canbe entered into a syste& and t"at t"e data isco&plete

Balancin$ and reconciliation controls toensure t"at data processin$ "as beenco&plete and ti&ely

'o ensure t"at data t"at "as been processedandor su&&aried is ade=uately andco&pletely trans&itted to and processed byanot"er application syste& t"at it eedsdatainor&ation to.

!de=uate data &ana$e&ent controlsincludin$ bot" t"e securityinte$rity oprocessed data and t"e eecti-e&ana$e&ent o databases and datastructures.

Data, !pplications,Report


13/24

Business Process

!pplication

et#ork

P"ysical

:o# to separate inco&patible duties #it"inan or$aniation and "o# to pro-ide t"ecorrect le-el o e&po#er&ent to peror& aunction.

Deine t"e internal application security&ec"anis&s t"at pro-ide users #it" t"especiic unctions necessary or t"e& toperor& t"eir Gobs.

Data H Data)ana$e&ent

Policies on securityrelated to users access tospeciic data or databases #it"in t"e

en-iron&ent.

Processin$En-iron&ent

5ecure t"e "ost co&puter syste& #"ereapplication syste&s and related data arestored and processed ro&.

5ecure t"e &ec"anis& used to connectusers #it" a processin$ en-iron&ent.

Policies and procedures related to P"ysicalsecurity o p"sical 75 de-ices.

Critical 75 syste&,applications anddata.

Risks t"at can be a-oided by &onitorin$peror&ance proacti-ely by addressin$syste&s issues beore a proble& occurs

Backups and contin$ency plannin$ policiesand procedures #"ere restorereco-ery

tec"ni=ues can be used to &ini&ie t"ee4tent o a disruption.


14/24

75 depart&ent&ission andor$aniation

Deine "o# 7' #ill i&pact t"e business and"o# 7' is articulated. 7t is i&portant to "a-eade=uate e4ecuti-e le-el support and buy


15/24


16/24


17/24

User I5ter431e Pro1ess/56 Error Pro1ess/56 I5ter431e

COMPONENT

ank

0

Tot38 I5te6r/tR/sk

#"et"er t"ere are ade=uaterestrictions o-er #"ic" indi-iduals in

an or$aniation are aut"oried toperor& businesssyste& unctionsbased on t"eir Gob need and t"e needto enorce a reasonable se$re$ationo duties. 6t"er risks in t"is arearelate to t"e ade=uacy o pre-enti-eandor detecti-e controls t"at ensuret"at only -alid data can be enteredinto a syste& and t"at t"e data isco&plete.

#"et"er t"ere are ade=uatepre-enti-e or detecti-e

balancin$ and reconciliationcontrols to ensure t"at dataprocessin$ "as beenco&plete and ti&ely. '"is riskarea also enco&passes risksassociated #it" t"e accuracyand inte$rity o reports(#"et"er or not t"ey areprinted* used to su&&arieresults andor &ake businessdecisions.

#"et"er t"ere areade=uate processes

and ot"er syste&&et"ods to ensure t"atany dataentryprocessin$e4ceptions t"at arecaptured areade=uately correctedand reprocessedaccurately, co&pletelyand on a ti&ely basis

#"et"er t"ere areade=uate pre-enti

detecti-e controls ensure t"at data t"been processed asu&&aried isade=uately andco&pletely trans&and processed byanot"er applicatiosyste& t"at it eeddatainor&ation to


18/24

3t3

"ese risks are associated #it"ade=uate data &ana$e&ent

ntrols includin$ bot" t"ecurityinte$rity o processed datand t"e eecti-e &ana$e&ent oatabases and data structures.te$rity can be lost because oo$ra&&in$ errors (e.$., $ood dataprocessed by incorrect pro$ra&s*,ocessin$ errors (e.$., transactionse incorrectly processed &ore t"an

nce a$ainst t"e sa&e &aster ile*,&ana$e&entprocess errors (e.$.,

oor &ana$e&ent o t"e syste&saintenance process*.


19/24

T'REATS 'otal Rele-ance Risk

COMPONENTS Rank

Rank

t"e usability and ti&eliness o inor&ationt"at is eit"er created or su&&aried byan application syste&.is t"e riskassociated #it" not $ettin$ t"e ri$"t

datainor&ation to t"e ri$"tpersonprocesssyste& at t"e ri$"t ti&e toallo# t"e ri$"t action to be taken.


20/24

T'REATS A;;8/13t/o5 Net


21/24

T'REATS Tot38 A93/83b/8/t R/sk

Rank

Rank

0

R/sks th3t 135 be39o/>e> bo5/tor/56;er4or351e

R/sks 3sso1/3te>/sr0;t/o5s tosste

COMPONENTS

and proacti-elyaddressin$ syste&sissues beore aproble& occurs

#"ererestorereco-erytec"ni=ues can beused to &ini&iet"e e4tent o adisruption


22/24


23/24

T'REATS

Rank

0

'otal7nrastructure Risk

Or635/?3t/o5P8355/56

A;;8/13t/o5 sste>e4/5/t/o5 35>>e;8oe5t

.o6/138 se10r/t35> se10r/t3>/5/str3t/o5

COMPON

ENTSt"at t"e deinitiono "o# 7' #illi&pact t"ebusiness areclearly deined andarticulated. 7t isi&portant to "a-eade=uate e4ecuti-ele-el support andbuy


24/24

Documents

It Risk Assesment Template